Presentation is loading. Please wait.

Presentation is loading. Please wait.

Key Management/ Infrastructures Security 07. 2 Basic problem Cryptographic security: must be some keys that are not cryptographically protected. Must.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Key Management/ Infrastructures Security 07. 2 Basic problem Cryptographic security: must be some keys that are not cryptographically protected. Must."— Presentation transcript:

1 Key Management/ Infrastructures Security 07

2 2 Basic problem Cryptographic security: must be some keys that are not cryptographically protected. Must find other ways to protect these keys.

3 3 How can the system identify you? Passwords –Something you know Hardware –Something you have Biometrics –Something you are

4 4 Password A sequence of characters known to only user and system, fx –QWERTY –8676 –Cis#1isT$

5 5 Attacks/aspects Steal from systemStorage by system Steal password from owner Storage by owner Steal password while it is used Use of password Guess passwordChoice of password AttacksAspects

6 6 Choice of password Keyspace: long passwords = many possibilities –4-digit PIN-code: 10.000 possibilities –Unix password:  2 52 Practical limit –Max remember 12 characters under pressure

7 7 Passphrases Length not enough – quality matters Passphrases: –Course in security number 1 is Top-dollar –Cis#1isT$ As hard to guess as random passwords! If users don’t do as they are told? - Programs rejecting bad passwords. Or programs that help estimate quality.

8 8 Guessing a password Simply attempt to log on until you succeed. After 3 attempts, block account  ?! –Good if attacker wants to log in –Bad if purpose is denial of service. –Better with delays after failed attempts.

9 9 Steal password under transmission Look over the shoulder –Physically – or electronically: Spyware Fake hardware Network eavesdropping Solutions involve –Cryptography –Hardware –Biometrics

10 10 Steal password from user If it’s written down? –Piece of paper in dust bin Devices for remembering PIN-codes can help BUT: Social engineering…

11 11 Social engineering 336 students were asked by mail to send back their passwords to validate the password database 138 returned their passwords!! A few changed their passwords, but no one reported to the system administrator Passwords for chocolate ?!

12 12 More (less?) sophisticated methods: Call the company Naive software solutions: ”I’m security administrator at IBM, the software you delivered has a problem, I need your password…” Phising: send mails leading people to fake web pages: we need to validate your account, click here – and enter your password..

13 13 Social engineering – defenses? One of the most effective ways to break into systems Information and education Technology: make sure it takes more than you can steal by phising.. –Hardware –Biometrics

14 14 Stealing passwords from systemet Password-database in cleartext  Better method: store a complicated function of password and not the password itself. No guarantee: with badly chosen passwords, this may also fail.

15 15 Password-DB by one-way functions Table with entries: –U, user –f(password of U) Where f is a function that is easy to compute but hard to invert. No immediate information on passwords in table. Nevertheless, an entered password can be checked.

16 16 Dictionary attack One-way function is known Take a table of likely passwords. For each pw in table, compute f(pw) until match is found Up to 25% succes-rate in practice –Better choice of passwords - passphrases

17 17 Passwords - overview AspectAttackDefense ChoiceGuess Dictionary Passphrases Help to choose UsageSpyware, eavesdropping, … Training Hardware, biometrics, crypto User storageSocial engineeringTraining System storage”Steal DB” Dictionary One-way functions Better choice of pw

18 18 Hardware Not just: prevent exposure of keys. But also: Make sure your key exists in only one copy –easy to copy files, or magnetic stripe cards –If copying hard, or takes time, better chance that theft is detected Means hardware can be useful even if break- in possible

19 19 Chip-card Cards with computer on board –CPU, RAM, I/O, even RSA co-processor Fx the new DanKort, SIM-cards for mobile phones … Physical intrusion not impossible, but hard..

20 20 Always necessary to break in? – Analysis of current usage Naiv implementation pf RSA-encryption –Scan bits in key one by one: If 0, one set of instructions If 1, another –Very big difference in current usage of the two –Measure current usage, plot => private-key in cleartext!

21 21 Tamper resistance American standard: FIPS Must detect –Cooling –Shaking –Explosion –Magnetic fields –…

22 22 An example IBM 4758 Evaluated to max FIPS- level Used by many banks No known attacks on physical protections – but attacks on API previously

23 23 Authenticity – again(!) Scenario: –RSA private-key in IBM4758, can only be accessed with smart card and PIN code. Via software you download (applet) you instruct system to sign document. But what is actually signed?!

24 24 Hardware - overview Protection – tamper-proof – or: – tamper -evident. Attacks –Bad API’s –Unforseen sideeffect –Control over both hard- and software?

25 25 Biometrics Traditionally: –Man-man –Based on signatures, photos, etc. Here: –Man-machine –Based on measurement of physical characteristics BornholmsTrafikken

26 26 General Solution Function from individual to data –Based on particular biological characteristics –Database on these Identifikation: –Measure –(Re-)calculate function –Compare to database

27 27 False negatives and positives False negative: rejected, even though you are a legal user False positive: approved, although you shouldn’t be. Cannot be completely avoided. What is acceptable is decided by application.

28 28 Technology Iris-scanning Fingerprint Face shape Handgeometry Speach … Often the first two are best

29 29 Pro’s and Con’s You always bring yourself But: Anonymity, privacy May be other ways to get in than by imitating the physical characteristics Natural physical change of user. Note: Your fingerprint is not a signature! Biometrics good for access control to your signature key, but cannot replace it

30 30 Key management - overview Password (knows) Biometrics (is) Hardware (has) Key

31 31 Have seen ways for system to identify who wants access to something (here a key) Must prevent access without being approved by system Need ways to ”lock up” the ressource.. A remaining question

32 32 Two ways to ”lock it up” If secure hardware around, easy If not, must go back to crypto Ex: key to be protected by password without hardware security – must encrypt key under password Problem: can test all passwords. Solution: slow the process down.

Download ppt "Key Management/ Infrastructures Security 07. 2 Basic problem Cryptographic security: must be some keys that are not cryptographically protected. Must."

Similar presentations

The quest to replace passwords Evangelos Markatos Based on a paper by Joseph Bonneau,Cormac Herley, Paul C. van Oorschot, and Frank Stajanod.

The quest to replace passwords Evangelos Markatos Based on a paper by Joseph Bonneau,Cormac Herley, Paul C. van Oorschot, and Frank Stajanod.
Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.

BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Security Security comes in three forms. 1.Encryption – making data and information transmitted by one person unintelligible to anyone other than the intended.

Security Security comes in three forms. 1.Encryption – making data and information transmitted by one person unintelligible to anyone other than the intended.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Next Generation Two Factor Authentication. Laptop Home / Other Business PC Hotel / Cyber Café / Airport Smart Phone / Blackberry 21 st Century Remote.

Next Generation Two Factor Authentication. Laptop Home / Other Business PC Hotel / Cyber Café / Airport Smart Phone / Blackberry 21 st Century Remote.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Chapter 3 Passwords Principals Authenticate to systems.

Chapter 3 Passwords Principals Authenticate to systems.
FIT3105 Security and Identity Management Lecture 1.

FIT3105 Security and Identity Management Lecture 1.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.

Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Similar presentations

Ads by Google